I can indeed install Mollum, Honeypot or some other security method over the captcha image choice, but usually image captcha works -- the fact that the index.php was compromised leaves me a bit more worried though.

I don't think a human is entering accounts, and it is possible that the image captcha is being broken but I also just increased its complexity further and it is still being broken.

Thanks for your comments and suggestions. I suspect myself captcha breaking algorithms taking place, so I'll work on setting up a different method of protection.

It definitely isn't a human though because the city chosen, for example, is in France but the country is USA. Or the street name is in German and it makes no sense... and then the user name sometimes is just digits like 24897345. -- It could be a human, but a very sloppy bad one.
=)

With Mollom I still get fake users and comments being added, so it isn't working any better than an image-captcha system.

I do see a good percentage of traffic from China, and the client suggested themselves to ban China from accessing the site since it is unlikely China would like to access their site for "legitimate" reasons.

I don't like the idea of censoring a site to an entire country, but maybe there is no other way in this instance?

These new accounts continue to add in addresses that are illogical, like giving a US city and then a zip code for someone who lives in the Netherlands (format of a Dutch zip code is 4 numbers and two letters: 1234 AB), with a hotmail email and a site link to some obviously spam thing (like perfume webpage)

Since the spam only goes to the moderated comments and then never appears on the site, I doubt any human being would bother doing this several times a day when they don't show up on the actual site and just bombard the client's inbox instead.

Country ban aside: Honeypot might be the way to go next, unless someone had a different suggestion.

Is country banning a common practice with Drupal security choices these days or should I avoid this at all costs (like my consciousness is telling me I should)

I use project Honeypot on all of my websites. It's purpose is to trap email harvesters. I think you may want the Bad Behavior Project;

Bad Behavior is a set of PHP scripts which prevents spambots from accessing your site by analyzing their actual HTTP requests and comparing them to profiles from known spambots. It goes far beyond User-Agent and Referer, however.

The problem: Spammers run automated scripts which read everything on your web site, harvest email addresses, and if you have a blog, forum or wiki, will post spam directly to your site. They also put false referrers in your server log trying to get their links posted through
your stats page.

As the operator of a Web site, this can cause you several problems. First, the spammers are wasting your bandwidth, which you may well be paying for. Second, they are posting comments to any form they can find, filling your web site with unwanted (and unpaid!) ads for their products. Last but not least, they harvest any email addresses they can find and sell those to other spammers, who fill your inbox with more unwanted ads.

Bad Behavior intends to target any malicious software directed at a Web site, whether it be a spambot, ill-designed search engine bot, or system crackers. It blocks such access and then logs their attempts.

Over the years I have installed and managed at least 1/2 a dozen different content management systems and have never had ANY fake registrations of this sort using just standard captchas as preventive measure.

I suspect somewhere in the code (core and/or modules) an alert message is going out alerting someone or a network when a Drupal site is brought online.

I would be curious to know from those experiencing the attacks if you installed Drupal core or a distribution. I would also be curious to know what type of spam is being posted to your site since I set administrator approval for registration from the beginning.

I am reinstalling just the Drupal core and will take it from there. For sure I will not run a package that does this. We know spam is a money maker and temptation can be great for low level developers.

From my web searches this issue has been going on for several years. I may have missed it but I did not see any meaningful developer feedback.

Let me take a look and see who the Drupal core developers are and where they are from.

I've been building websites with Drupal for years. Drupal's versatility allows me to quickly build complicated web-based applications that would not be conventionally possible with out-of-the-box solutions like Wordpress. I've also found the community to be fairly responsive in addressing development issues.

That said, I will be the first to say Drupal has MANY shortcomings as it relates to its user profile system.

I operate a local news website built on Drupal. We push hundreds and even sometimes thousands of visits each day. I have implemented Recaptcha, mollum, and e-mail verification and probably some other measures I'm forgetting. None have been successful in preventing spam user registrations. And I do get at least 5-10 each day.

I've searched for a solution to this problem for years and have turned up empty-handed.

The suggestion that a developer simply switch to a platform of moderating every piece of content submitted is simply not feasible on a website that pushes large volumes of traffic.

I know Drupal 8 is in development. I've noticed some things that are a big driver of this development -- such as mobile compatibility.

But I really believe the user registration spam issue is a major shortcoming that can turn-off bigger websites from using Drupal. User registration spam should be priority in Drupal 8.

We need more large websites using Drupal, as it adds to the platform's credibility. So if we can't provide a platform for these large companies that rely on user-driven content, how can we expect Drupal to become the leading CMS?

..And maybe that's never been the goal of Drupal. Who knows?

I will say that the user registration seems to not be getting any better. And there doesn't appear to be any effort from the Drupal community to seriously address this issue.

I would address it if I had the know-how, but I'm not a developer.

CSwann brings up a very valid point in that the broadcasting of new drupal websites could be driving spam. For example, modules receive data from websites that dowload the module. I'm not an expert in this field by any means, but I certainly think this deserves a look.

Is this creating a security loophole for spammers? If it isn't. Then what is driving the large amount of spam user registrations that don't seem to be apparent in platforms like Wordpress?

Hi to all participants of this discussion,
I think I am late with the solution however dispite almost the year has passed I do it. I would not like to have it considered as an ad but it can be a real solution to prevent fake accounts (users) creating. I would like to propose to try Keypichttp://drupal.org/project/keypic
We develop Keypic keeping in mind the unity spam protection+accessibility.
Keypic shows better results for blocking fake registrations, spam comments, spam contact forms submittings, etc. Along with effective spam protection you users do not need to prove they are humen (better User engagement, higher conversion and loyalty). We developed a special anti spam (spambots and spamers) algorithm that is more effective than CAPTCHA. Just try, it is available for free. I think you will see the difference. No CAPTCHA, No Spam!
Best
Evgeniy